From sanreich at gmx.de Wed Aug 1 12:34:13 2007 From: sanreich at gmx.de (Sandro Reichert) Date: Wed, 01 Aug 2007 21:34:13 +0200 Subject: [Bro] broccoli and enum In-Reply-To: <46AFD639.2090309@gmx.de> References: <46AFD639.2090309@gmx.de> Message-ID: <46B0E035.2010400@gmx.de> hi all, i solved my problen. best regards, sandro > hi all, > > i'm playing around with broccoli and i have problems with events that > contain enum type. the event is defined in a policy and i can use it for > inter-bro-comunication, but broccoli ignores it. calling the event > without the enum type argument works well. > where is my mistake? > > thanks!! > sandro > > > example: > c code (modified 'broping'): > > bro_mytest(BroConn *conn, void *data, uint32 *num, BroRecord *status) > { > /*just print a simple message....*/ > printf("event mytest received!\n"); > } > > bro_event_registry_add(bc, "mytest", (BroEventFunc) bro_mytest, NULL) ; > > > policy code: > > type testtype : enum > { > first_type, > second_type, > }; > > # 1) does'nt work with broccoli! > event mytest(123, first_type); > > # 2) this works! > event mytest(123); > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From hassan.syed at ukplc.net Fri Aug 3 01:49:01 2007 From: hassan.syed at ukplc.net (Hassan Syed) Date: Fri, 3 Aug 2007 09:49:01 +0100 Subject: [Bro] Erata for the refference manual Message-ID: Hi guys, As I couldn't create a login for the wiki I'll post some minor errata for the reference manual. Hope its found to be usefull. ------------------------------------------------------------------------ ------------------------------------------ Table assignment section: The part to do with making an assignment to an entire table its a bit confusing as to what this functionality does. Perhaps it would be better to express this in a fashion similar to the "record assignment" section. where it talks about c'esque shallow and deep copies. The way this section is currently expressed was leading me to read more between the lines. ---------------------- Set section "Also as with tables, you can use the &create_expire, &read_expire, and &write_expire attributes to control the automatic expiration of elements in a set. Deficiency: However, the attribute is not currently supported." The attribute lacking is not mentioned causing the person to cross-reference back up to the table attributes. The assumption is that the expiry function attribute is missing. ---------------------- Sets and table section Both sections conclude with "you can loop over all of the indices in a set/table using the statement." The statement that does the looping is not shown. ------------------------------------------------------------------------ ------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070803/1848fbfb/attachment.html From hassan.syed at ukplc.net Fri Aug 3 08:26:05 2007 From: hassan.syed at ukplc.net (Hassan Syed) Date: Fri, 3 Aug 2007 16:26:05 +0100 Subject: [Bro] Generics without templates ? Message-ID: Hi Guys, I was wondering why the concept of generics has been implemented via #define hacking in some of the code (the parts where the connectionPDict and FragReassemblesPdict are defined in session.h). Are they any advantages to doing this in the stead of templates? It is very tedious looking at this in the code, especially to someone who comes from another language. If there aren't any advantages shall I refractor it out of the code for the sake of future newbie's like me? Regards Hassan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070803/54dbe9e4/attachment.html From vern at icir.org Fri Aug 3 09:02:31 2007 From: vern at icir.org (Vern Paxson) Date: Fri, 03 Aug 2007 09:02:31 -0700 Subject: [Bro] Generics without templates ? In-Reply-To: (Fri, 03 Aug 2007 16:26:05 BST). Message-ID: <200708031602.l73G2VXQ081304@jaguar.icir.org> > I was wondering why the concept of generics has been implemented via > #define hacking in some of the code Because those parts are very old. > If there aren't any advantages shall I refractor it > out of the code for the sake of future newbie's like me? I don't view this as a priority. That code is now very stable and the development team knows how to work with it. It's also not code that most newbies need to try to understand (though I can appreciate your stress at doing so). Vern From robin at icir.org Fri Aug 3 17:56:39 2007 From: robin at icir.org (Robin Sommer) Date: Fri, 3 Aug 2007 17:56:39 -0700 Subject: [Bro] Erata for the refference manual In-Reply-To: References: Message-ID: <20070804005639.GA27331@icir.org> On Fri, Aug 03, 2007 at 09:49 +0100, Hassan Syed wrote: > As I couldn't create a login for the wiki I'll post some minor errata > for the reference manual. Thanks! I'll create a Wiki account for you so that you can adapt the documentation right there. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From sanreich at gmx.de Fri Aug 3 19:07:32 2007 From: sanreich at gmx.de (Sandro Reichert) Date: Sat, 04 Aug 2007 04:07:32 +0200 Subject: [Bro] runtime-error, value used but not set Message-ID: <46B3DF64.4040504@gmx.de> Hi all! We are using bro at Dresden University of Technology to develop a prototype of a mobile wireless ids. I use broccoli to communicate between my local bro and my manager-application. I need to add and remove peers for inter-bro-communication without restarting bro. Therefore I added some new events to remote.bro to add and remove peers. To close a active connection, I added some lines in RemoteSerializer and bro.bif(_orig) to call RS::CloseConnection. Adding and connecting new peers works fine, but I get the runtime-error 'value used but not set' when I call close_connection(id). What did I wrong? Thanks for your help! Sandro my changes: remote.bro: event broccoli_remove_peer(host : addr) { for(id in connected_peers) { if(connected_peers[id]$host == host) { print (fmt("remove peerID '%s', host = %s", id, host)); close_connection(id); } } } bro.bif / bro.bif.orig: function close_connection%(id: count%) : bool %{ return new Val(remote_serializer->CloseConnection(id),TYPE_BOOL); %} RemoteSerializer.h (public): bool CloseConnection(PeerID id); RemoteSerializer.cc: bool RemoteSerializer::CloseConnection(PeerID id) { return CloseConnection(LookupPeer(id, true)); } From jp.luiggi at free.fr Sat Aug 4 07:51:44 2007 From: jp.luiggi at free.fr (jean-philippe luiggi) Date: Sat, 4 Aug 2007 10:51:44 -0400 Subject: [Bro] Erata for the refference manual In-Reply-To: <20070804005639.GA27331@icir.org> References: <20070804005639.GA27331@icir.org> Message-ID: <20070804105144.4ee8a03f@mygw.lan.mynetwork.local> Hello, Speaking of Wiki, what do you think of putting on it, documentation using foreign's languages (i mean French for example) ? Best regards, Jean-philippe. On Fri, 3 Aug 2007 17:56:39 -0700 Robin Sommer wrote: > > On Fri, Aug 03, 2007 at 09:49 +0100, Hassan Syed wrote: > > > As I couldn't create a login for the wiki I'll post some minor > > errata for the reference manual. > > Thanks! I'll create a Wiki account for you so that you can adapt the > documentation right there. > > Robin > > -- > Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org > LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > > > !DSPAM:1,46b3d3dc102371336712104! From robin at icir.org Mon Aug 6 09:50:18 2007 From: robin at icir.org (Robin Sommer) Date: Mon, 6 Aug 2007 09:50:18 -0700 Subject: [Bro] runtime-error, value used but not set In-Reply-To: <46B3DF64.4040504@gmx.de> References: <46B3DF64.4040504@gmx.de> Message-ID: <20070806165018.GC9654@icir.org> On Sat, Aug 04, 2007 at 04:07 +0200, you wrote: > Adding and connecting new peers works fine, but I get the runtime-error > 'value used but not set' when I call close_connection(id). What did I wrong? That is a script-layer message indicating that script code is accessing a variable which hasn't been initialized. I don't really see any problem along with these lines in the code snippets you posted. Which line does the error message report? Is it the close_connection() call or some other location? Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Aug 6 11:02:58 2007 From: robin at icir.org (Robin Sommer) Date: Mon, 6 Aug 2007 11:02:58 -0700 Subject: [Bro] Erata for the refference manual In-Reply-To: <20070804105144.4ee8a03f@mygw.lan.mynetwork.local> References: <20070804005639.GA27331@icir.org> <20070804105144.4ee8a03f@mygw.lan.mynetwork.local> Message-ID: <20070806180258.GD10181@icir.org> On Sat, Aug 04, 2007 at 10:51 -0400, jean-philippe luiggi wrote: > Speaking of Wiki, what do you think of putting on it, > documentation using foreign's languages (i mean French for example) ? Sure, *any* documentation is good. :-) In general we prefer English text, just because that's what benefits most people. If however you are either more comfortable writing French or want to specifically address people in the French community for whom English documentation isn't of much help, I'd also be happy to see a "foreign section" on the Wiki (as long as nobody exepects me to proof-read it :-) Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From jp.luiggi at free.fr Mon Aug 6 11:56:34 2007 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Mon, 06 Aug 2007 14:56:34 -0400 Subject: [Bro] Erata for the refference manual In-Reply-To: <20070806180258.GD10181@icir.org> References: <20070804005639.GA27331@icir.org> <20070804105144.4ee8a03f@mygw.lan.mynetwork.local> <20070806180258.GD10181@icir.org> Message-ID: <20070806185633.GA1074@armada.mynetwork.local> Hello, I understand perfectly the need to write in English (this is why i'll do my best to use it) but as you said, i would like to address people for whom English documentation isn't of much help, so here my idea. Best regards, Jean-philippe. PS : Yes, i'm more comfortable with French than English. :-) On Mon, Aug 06, 2007 at 11:02:58AM -0700, Robin Sommer wrote: > > documentation using foreign's languages (i mean French for example) ? > > Sure, *any* documentation is good. :-) > > In general we prefer English text, just because that's what benefits > most people. If however you are either more comfortable writing > French or want to specifically address people in the French > community for whom English documentation isn't of much help, I'd > also be happy to see a "foreign section" on the Wiki (as long as > nobody exepects me to proof-read it :-) > > Robin > > -- > Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org > LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From sanreich at gmx.de Mon Aug 6 12:04:22 2007 From: sanreich at gmx.de (Sandro Reichert) Date: Mon, 06 Aug 2007 21:04:22 +0200 Subject: [Bro] runtime-error, value used but not set In-Reply-To: <20070806165018.GC9654@icir.org> References: <46B3DF64.4040504@gmx.de> <20070806165018.GC9654@icir.org> Message-ID: <46B770B6.2070408@gmx.de> Hi! >> Adding and connecting new peers works fine, but I get the runtime-error >> 'value used but not set' when I call close_connection(id). What did I wrong? > > That is a script-layer message indicating that script code is > accessing a variable which hasn't been initialized. I don't really > see any problem along with these lines in the code snippets you > posted. Which line does the error message report? Is it the > close_connection() call or some other location? Yes, the reported line is close_connection(id). But the id is set. print (fmt("remove peerID '%s', host = %s", id, host)); prints the correct id (I compared it with the id in remote.log). By the way: did you got my mail about our wireless patch and inter-bro communication I sent some month ago? Bye, Sandro From robin at icir.org Mon Aug 6 15:42:00 2007 From: robin at icir.org (Robin Sommer) Date: Mon, 6 Aug 2007 15:42:00 -0700 Subject: [Bro] runtime-error, value used but not set In-Reply-To: <46B770B6.2070408@gmx.de> References: <46B3DF64.4040504@gmx.de> <20070806165018.GC9654@icir.org> <46B770B6.2070408@gmx.de> Message-ID: <20070806224200.GA13945@icir.org> On Mon, Aug 06, 2007 at 21:04 +0200, you wrote: > Yes, the reported line is close_connection(id). But the id is set. > print (fmt("remove peerID '%s', host = %s", id, host)); prints the > correct id (I compared it with the id in remote.log). Hmmm... Dann scheint mir das ein Fall fuer den Debugger, da ich so momentan keine gute Idee habe. Kannst Du mal auf run_time() einen Breakspoint setzen und mit den Stack-Backtrace schicken? > By the way: did you got my mail about our wireless patch and inter-bro > communication I sent some month ago? Um, ja, die wartet immer noch auf Bearbeitung. Mir fehlte nach der langen Pause der Kontext um sofort genauer reinzuschauen und wie's so ist, bleibt's dann liegen... Ich werd nochmal schauen. (Brauchst Du was bestimmtes?) Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Aug 6 17:10:59 2007 From: robin at icir.org (Robin Sommer) Date: Mon, 6 Aug 2007 17:10:59 -0700 Subject: [Bro] runtime-error, value used but not set In-Reply-To: <20070806224200.GA13945@icir.org> References: <46B3DF64.4040504@gmx.de> <20070806165018.GC9654@icir.org> <46B770B6.2070408@gmx.de> <20070806224200.GA13945@icir.org> Message-ID: <20070807001059.GC13945@icir.org> Um, sorry, this was obviously not supposed go to the list. :-) Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From dcaldwell at colsa.com Thu Aug 9 07:39:47 2007 From: dcaldwell at colsa.com (David Caldwell) Date: Thu, 09 Aug 2007 09:39:47 -0500 Subject: [Bro] Howto set up specific filters Message-ID: <1186670387.5907.6.camel@dcaldwell> How do I set up a specific filter in BRO? For example, I want to filter thinks like aim, irc, edonkey, bittorrent...etc. Thanks, David Caldwell From abbd2005 at yahoo.fr Fri Aug 10 10:56:55 2007 From: abbd2005 at yahoo.fr (abd abd) Date: Fri, 10 Aug 2007 17:56:55 +0000 (GMT) Subject: [Bro] Construction of connection Message-ID: <260944.92776.qm@web26307.mail.ukl.yahoo.com> Hi, i would make a connection of protocol TCP, can you give me a documentation or an URL who explain why make this, Thank you verry mutch _____________________________________________________________________________ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070810/37fb8556/attachment.html From abbd2005 at yahoo.fr Fri Aug 10 11:01:54 2007 From: abbd2005 at yahoo.fr (abd abd) Date: Fri, 10 Aug 2007 18:01:54 +0000 (GMT) Subject: [Bro] Construction of connection Message-ID: <787013.26572.qm@web26308.mail.ukl.yahoo.com> Hi, i would make a connection of protocol TCP, can you give me a documentation or an URL who explain why make this, Thank you verry mutch _____________________________________________________________________________ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070810/fd010251/attachment.html From jp.luiggi at free.fr Sat Aug 11 06:36:59 2007 From: jp.luiggi at free.fr (jean-philippe luiggi) Date: Sat, 11 Aug 2007 09:36:59 -0400 Subject: [Bro] Construction of connection In-Reply-To: <260944.92776.qm@web26307.mail.ukl.yahoo.com> References: <260944.92776.qm@web26307.mail.ukl.yahoo.com> Message-ID: <20070811093659.03be1f09@mygw.lan.mynetwork.local> Hello, Could you give us more details about what you want ? If i follow your need, you want to make a connection but "Bro" isn't a packet generator as would be "hping", etc. Best regards, Jean-philippe. PS : i'll continue using French (i see yahoo.fr) so i hope it'll be more easy to find the needs. Bonjour, Pourriez vous d?tailler plus vos besoins ? Que souhaitez vous faire exactement ? Salutations, Jean-philippe. On Fri, 10 Aug 2007 17:56:55 +0000 (GMT) abd abd wrote: > Hi, > > i would make a connection of protocol TCP, can you give me a > documentation or an URL who explain why make this, > Thank you verry mutch > > > _____________________________________________________________________________ > Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers > Yahoo! Mail > > > > > !DSPAM:1,46bcafb473581804284693! From sanreich at gmx.de Sat Aug 11 08:32:38 2007 From: sanreich at gmx.de (Sandro Reichert) Date: Sat, 11 Aug 2007 17:32:38 +0200 Subject: [Bro] Construction of connection In-Reply-To: <787013.26572.qm@web26308.mail.ukl.yahoo.com> References: <787013.26572.qm@web26308.mail.ukl.yahoo.com> Message-ID: <46BDD696.4040404@gmx.de> Hi, > i would make a connection of protocol TCP, can you give me a > documentation or an URL who explain why make this, do you like to create an inter-bro connection between two bro nodes alice and bob? A short documentation can be found in chapter 3.5: http://www.icir.org/christian/broccoli/manual/c85.html For testing cleartext communication between the two nodes, you can use something like following lines. site/bob.bro: @load listen-clear redef Remote::destinations += { ["alice"] = [$host = 192.168.0.10, $events = /.*/, $connect=T, $ssl=F] }; site/alice.bro: @load listen-clear redef Remote::destinations += { ["bob"] = [$host = 192.168.0.11, $events = /.*/, $connect=F, $ssl=F] }; To specify, which events you like to register for, use $events = pattern where pattern is a regular-expression pattern. The syntax is the same as for the flex version of the lex utility: http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Values%2C_Types%2C_and_Constants#Patterns I hope this is what you asked for! Bye, sandro From abbd2005 at yahoo.fr Sat Aug 11 11:23:38 2007 From: abbd2005 at yahoo.fr (abd abd) Date: Sat, 11 Aug 2007 18:23:38 +0000 (GMT) Subject: [Bro] Connections Message-ID: <779577.2401.qm@web26310.mail.ukl.yahoo.com> Hi, a would make a NIDS, for that i must construct a connections, one conection begin with Syn+Syn_Ack+Ack+......+Ack+.......Fin_Ack+ack+Fin_ack+ack. I don't find an exemple, how make FLAG, flag can be S0, RSTO, SF, REJ. Can you give a documentation for construction of connections and attributs like FLAG, Duration, ..... Thank you verry mutch _____________________________________________________________________________ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070811/67e8ca7d/attachment.html From abbd2005 at yahoo.fr Sat Aug 11 11:23:52 2007 From: abbd2005 at yahoo.fr (abd abd) Date: Sat, 11 Aug 2007 18:23:52 +0000 (GMT) Subject: [Bro] Connections Message-ID: <755708.59031.qm@web26309.mail.ukl.yahoo.com> Hi, a would make a NIDS, for that i must construct a connections, one conection begin with Syn+Syn_Ack+Ack+......+Ack+.......Fin_Ack+ack+Fin_ack+ack. I don't find an exemple, how make FLAG, flag can be S0, RSTO, SF, REJ. Can you give a documentation for construction of connections and attributs like FLAG, Duration, ..... Thank you verry mutch _____________________________________________________________________________ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070811/1e08872b/attachment.html From sanreich at gmx.de Sat Aug 11 11:43:30 2007 From: sanreich at gmx.de (Sandro Reichert) Date: Sat, 11 Aug 2007 20:43:30 +0200 Subject: [Bro] Fwd: Re: Conections In-Reply-To: <449373.53496.qm@web26308.mail.ukl.yahoo.com> References: <449373.53496.qm@web26308.mail.ukl.yahoo.com> Message-ID: <46BE0352.1050200@gmx.de> Hi, sorry, I dont understand your question so I forwarded it to the list. Bye Sandro > Thank you verry mutch for answering my message, > > I would make a NIDS, for that i must construct a conections, one > conection begin with > Syn+Syn_Ack+Ack+......+Ack+.......Fin_Ack+ack+Fin_ack+ack. > I don't find an exemple, how make FLAG, flag can be S0, RSTO, SF, REJ. > > Can you give a documentation for construction of connections and > attributs like FLAG, Duration, ..... > > Thank you verry mutch From adayadil.thomas at gmail.com Sun Aug 12 19:45:09 2007 From: adayadil.thomas at gmail.com (Adayadil Thomas) Date: Sun, 12 Aug 2007 22:45:09 -0400 Subject: [Bro] RST handling Message-ID: Greetings. I have a general TCP RST handling question. Assuming the state of a connection is established, and data has been transferred to and fro and then the server sends a RST packet (or two) [1] to the client and the session ends soon after. >From an IDS/IPS standpoint, - should the session be transitioned to closed upon seeing the first RST ? - if not, is the session marked as SEEN_RST or something and timed out ? >From an IPS point of view (which does not allow stateless traffic) knowing when to remove the connection is critical. is'nt it ? I would like to know from bro standpoint and in general. Thanks a lot for any information/viewpoint. -Ashley [1] Why does the server send two RST as in the example below -- 15:47:05.990438 192.168.0.1.8080 > 192.168.1.1.46615: R 1:1(0) ack 10500305 win 32768 (DF) 15:47:05.990499 192.168.0.1.8080 > 192.168.1.1.46615: R 4223569903:4223569903(0) win 0 (DF) From robin at icir.org Mon Aug 13 13:00:31 2007 From: robin at icir.org (Robin Sommer) Date: Mon, 13 Aug 2007 13:00:31 -0700 Subject: [Bro] RST handling In-Reply-To: References: Message-ID: <20070813200031.GA7210@icir.org> On Sun, Aug 12, 2007 at 22:45 -0400, Adayadil Thomas wrote: > I would like to know from bro standpoint and in general. The general problem here is that a passive NIDS can never be sure about what the endpoints' state of a connection is. A NIDS monitors the traffic and uses a bunch of heuristics to understand what's going on but it's unrealistic to assume that each host on the Internet conforms with the RFCs. On the one hand an attacker can always craft non-conforming traffic; on the other hand, and worse, there's just a larger number of software out there which interprets the standards rather "liberally" (and sometimes cannot even be blamed for that because standards often ignore corner-case and rarely specifcy behaviour for non-conforming traffic). This is the case for keeping track of TCP states, as in your example, and also for lots of the classic evasion attacks like overlapping TCP payload. Bro tries hard to detect ambigious cases; that's what all these "weirds" are about. And it has a large number of options to tweak the details of its processing (e.g., there are timeouts which tell Bro how long to wait after the presumed end of connection before actually timing the state out, allowing for more packets to arrive during this interval like duplicated resets). That's as much as it can do however. An active system (i.e., a NI*P*S) can do more if you are willing to accept the impact that it may have on your network traffic. In general, a NIPS can either simply block all traffic which it can't reliably interpret or it can try to normalize it by rewriting the packets into a more well-defined state. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From whiteln at 126.com Tue Aug 14 02:07:11 2007 From: whiteln at 126.com (whiteln) Date: Tue, 14 Aug 2007 17:07:11 +0800 Subject: [Bro] how to deploy bro-ids on openbsd Message-ID: <91E101893F8B40728A7513B0128A4B11@wsldell> Hi how to deploy bro-ids on openbsd? While I intall bro-ids on openbsd4.0,there are many errors. What is nessesary for deployment? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070814/d4e52037/attachment.html From jp.luiggi at free.fr Tue Aug 14 04:31:23 2007 From: jp.luiggi at free.fr (jean-philippe luiggi) Date: Tue, 14 Aug 2007 07:31:23 -0400 Subject: [Bro] how to deploy bro-ids on openbsd In-Reply-To: <91E101893F8B40728A7513B0128A4B11@wsldell> References: <91E101893F8B40728A7513B0128A4B11@wsldell> Message-ID: <20070814073123.3ee13c9f@mygw.lan.mynetwork.local> Hello, Do you use the last version of Bro ? Bro since version 1.3 is working perfectly with OpenBSD (on last stable : 4.1 and -current). Could you give us some logs about errors ? Best regards, Jean-philippe. On Tue, 14 Aug 2007 17:07:11 +0800 "whiteln" wrote: > Hi > > how to deploy bro-ids on openbsd? > > While I intall bro-ids on openbsd4.0,there are many errors. What is > nessesary for deployment? > > > > > > > !DSPAM:1,46c17a1c158777730779061! From whiteln at 126.com Tue Aug 14 05:45:40 2007 From: whiteln at 126.com (whiteln) Date: Tue, 14 Aug 2007 20:45:40 +0800 Subject: [Bro] =?gb2312?b?tPC4tDogIGhvdyB0byBkZXBsb3kgYnJvLWlkcyBvbiBvcGVu?= =?gb2312?b?YnNk?= In-Reply-To: <20070814073123.3ee13c9f@mygw.lan.mynetwork.local> Message-ID: Thanks I deployed bro1.2 on OpenBSD. When make step, list error: net/ethernet.h: No such file or directory while intalling bro.1.3.2,it work well. -----????----- ???: jean-philippe luiggi [mailto:jp.luiggi at free.fr] ????: 2007?8?14? 19:31 ???: whiteln ??: Bro at bro-ids.org ??: Re: [Bro] how to deploy bro-ids on openbsd Hello, Do you use the last version of Bro ? Bro since version 1.3 is working perfectly with OpenBSD (on last stable : 4.1 and -current). Could you give us some logs about errors ? Best regards, Jean-philippe. On Tue, 14 Aug 2007 17:07:11 +0800 "whiteln" wrote: > Hi > > how to deploy bro-ids on openbsd? > > While I intall bro-ids on openbsd4.0,there are many errors. What is > nessesary for deployment? > > > > > > > !DSPAM:1,46c17a1c158777730779061! From nikns at secure.lv Tue Aug 14 06:06:20 2007 From: nikns at secure.lv (Nikns Siankin) Date: Tue, 14 Aug 2007 16:06:20 +0300 Subject: [Bro] how to deploy bro-ids on openbsd In-Reply-To: <91E101893F8B40728A7513B0128A4B11@wsldell> References: <91E101893F8B40728A7513B0128A4B11@wsldell> Message-ID: <20070814130620.GA23081@secure.lv> http://secure.lv/~nikns/stuff/ports/bro-1.2.1.tar Here is oldy one... On Tue, Aug 14, 2007 at 05:07:11PM +0800, whiteln wrote: >Hi > >how to deploy bro-ids on openbsd? > >While I intall bro-ids on openbsd4.0,there are many errors. What is >nessesary for deployment? > >_______________________________________________ >Bro mailing list >bro at bro-ids.org >http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jp.luiggi at free.fr Tue Aug 14 07:50:30 2007 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Tue, 14 Aug 2007 10:50:30 -0400 Subject: [Bro] ????: how to deploy bro-ids on openbsd In-Reply-To: References: <20070814073123.3ee13c9f@mygw.lan.mynetwork.local> Message-ID: <20070814145030.GA17610@armada.mynetwork.local> Hello, It's "normal" you run in trouble with 1.2 ... Even if i already made OpenBSD working with this version, we needed to modify Bro's code so i suggest you move up to the last release of the IDS. There's another advantage to use OpenBSD with version 1.3, you have the DNS non blocking feature (if you installed the "libbind" package). Best regards, Jean-philippe. On Tue, Aug 14, 2007 at 08:45:40PM +0800, whiteln wrote: > Thanks > I deployed bro1.2 on OpenBSD. > When make step, > list error: net/ethernet.h: No such file or directory > > while intalling bro.1.3.2,it work well. > > -----????????----- > ??????: jean-philippe luiggi [mailto:jp.luiggi at free.fr] > ????????: 2007??8??14?? 19:31 > ??????: whiteln > ????: Bro at bro-ids.org > ????: Re: [Bro] how to deploy bro-ids on openbsd > > Hello, > > Do you use the last version of Bro ? > Bro since version 1.3 is working perfectly with OpenBSD (on > last stable : 4.1 and -current). > > Could you give us some logs about errors ? > > Best regards, > > Jean-philippe. > > On Tue, 14 Aug 2007 17:07:11 +0800 > "whiteln" wrote: > > > Hi > > > > how to deploy bro-ids on openbsd? > > > > While I intall bro-ids on openbsd4.0,there are many errors. What is > > nessesary for deployment? > > > > > > > > > > > > > > !DSPAM:1,46c17a1c158777730779061! > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From pclin at cis.nctu.edu.tw Tue Aug 14 10:43:50 2007 From: pclin at cis.nctu.edu.tw (Po-Ching Lin) Date: Wed, 15 Aug 2007 01:43:50 +0800 Subject: [Bro] A question about generating Makefile.in from Makefile.am Message-ID: <20070815012457.580A.PCLIN@cis.nctu.edu.tw> Dear All, I added some files under the /src directory and modified Makefile.am to reflect the revision. I tried to use the 'autoconf' commands (e.g., autoscan and automake, etc.) to generate Makefile.in, as suggested on many on-line manuals, but failed to make it. Unlike the cases on these on-line manuals, Bro seems not to need 'configure.in' under the /src directory, but automake will complain of this. I am not so familiar with the autoconf tools. Would anyone please show me the pointer to solve the problem? Thanks. Best regards, -- Po-Ching Lin From robin at icir.org Tue Aug 14 13:16:21 2007 From: robin at icir.org (Robin Sommer) Date: Tue, 14 Aug 2007 13:16:21 -0700 Subject: [Bro] A question about generating Makefile.in from Makefile.am In-Reply-To: <20070815012457.580A.PCLIN@cis.nctu.edu.tw> References: <20070815012457.580A.PCLIN@cis.nctu.edu.tw> Message-ID: <20070814201621.GD8819@icir.org> On Wed, Aug 15, 2007 at 01:43 +0800, Po-Ching Lin wrote: > to reflect the revision. I tried to use the 'autoconf' commands (e.g., > autoscan and automake, etc.) to generate Makefile.in, There's a script autogen.sh in the lop-level directory of the distribution which does the right kind of magic to generate all the neccessary autotools files. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From pclin at cis.nctu.edu.tw Tue Aug 14 16:14:25 2007 From: pclin at cis.nctu.edu.tw (Po-Ching Lin) Date: Wed, 15 Aug 2007 07:14:25 +0800 Subject: [Bro] A question about generating Makefile.in from Makefile.am In-Reply-To: <20070814201621.GD8819@icir.org> References: <20070815012457.580A.PCLIN@cis.nctu.edu.tw> <20070814201621.GD8819@icir.org> Message-ID: <20070815065602.A2DE.PCLIN@cis.nctu.edu.tw> Thanks a lot, Robin. The configuration becomes much easier with this script :-) I also found another problem. The script autogen.sh in the top-level directory attempts to run "aux/broccoli/autogen.sh", but autogen.sh is missing in the 'broccoli' directory. This makes autogen.sh in the top-level abort. The problem exists even in the lastest version of 1.3.2. I made a copy of the autogen.sh from the "binpac" directory to the "broccoli" directory, and modified the line with "NAME=binpac" to "NAME=broccoli". This ad hoc solution seems workable as the autogen.sh can exit normally now. Po-Ching On Tue, 14 Aug 2007 13:16:21 -0700 Robin Sommer wrote: > > On Wed, Aug 15, 2007 at 01:43 +0800, Po-Ching Lin wrote: > > > to reflect the revision. I tried to use the 'autoconf' commands (e.g., > > autoscan and automake, etc.) to generate Makefile.in, > > There's a script autogen.sh in the lop-level directory of the > distribution which does the right kind of magic to generate all the > neccessary autotools files. > > Robin > > -- > Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org > LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org -- Po-Ching Lin From robin at icir.org Tue Aug 14 16:23:46 2007 From: robin at icir.org (Robin Sommer) Date: Tue, 14 Aug 2007 16:23:46 -0700 Subject: [Bro] A question about generating Makefile.in from Makefile.am In-Reply-To: <20070815065602.A2DE.PCLIN@cis.nctu.edu.tw> References: <20070815012457.580A.PCLIN@cis.nctu.edu.tw> <20070814201621.GD8819@icir.org> <20070815065602.A2DE.PCLIN@cis.nctu.edu.tw> Message-ID: <20070814232346.GB16611@icir.org> On Wed, Aug 15, 2007 at 07:14 +0800, Po-Ching Lin wrote: > I also found another problem. The script autogen.sh in the top-level > directory attempts to run "aux/broccoli/autogen.sh", but autogen.sh > is missing in the 'broccoli' directory. Ah, seems the file doesn't get included into the distribution. It's there in our internal subversion repository but apparently left out in the process of building the tar file. We'll fix that. Thanks for pointing this out. I've attached the missing file but likely it's indeed just as fine to use your work-around of adapting the one from binpac. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org -------------- next part -------------- A non-text attachment was scrubbed... Name: autogen.sh Type: application/x-sh Size: 3331 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070814/b5f110dc/attachment.sh From robin at icir.org Tue Aug 14 18:10:45 2007 From: robin at icir.org (Robin Sommer) Date: Tue, 14 Aug 2007 18:10:45 -0700 Subject: [Bro] Connections In-Reply-To: <755708.59031.qm@web26309.mail.ukl.yahoo.com> References: <755708.59031.qm@web26309.mail.ukl.yahoo.com> Message-ID: <20070815011045.GA24200@icir.org> On Sat, Aug 11, 2007 at 18:23 +0000, abd abd wrote: > Can you give a documentation for construction of connections and attributs like FLAG, Duration, ..... Sorry, I also don't really understand the question here? Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Tue Aug 14 18:12:52 2007 From: robin at icir.org (Robin Sommer) Date: Tue, 14 Aug 2007 18:12:52 -0700 Subject: [Bro] Howto set up specific filters In-Reply-To: <1186670387.5907.6.camel@dcaldwell> References: <1186670387.5907.6.camel@dcaldwell> Message-ID: <20070815011252.GB24200@icir.org> On Thu, Aug 09, 2007 at 09:39 -0500, David Caldwell wrote: > How do I set up a specific filter in BRO? For example, I want to filter > thinks like aim, irc, edonkey, bittorrent...etc. Sorry, I'm not sure what you mean by "filter" here. Are you refering to a packet filter, i.e., a BPF expression? Do you want to include, irc etc. traffic or filter it out? Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From mel at hackinthebox.org Thu Aug 16 02:56:18 2007 From: mel at hackinthebox.org (mel) Date: Thu, 16 Aug 2007 17:56:18 +0800 Subject: [Bro] generating bro report from packet capture Message-ID: <46C41F42.20305@hackinthebox.org> Hi, I want to generate bro reports from tcpdump packet capture files. Those files were captured from different networks. So: bro -r file.pcap will generate generate log files: alarm.log conn.log notice.log weird.log When I run site-report.pl, I get No connection data found for the time period specified. Unable to create a report. What does this error mean? Note that the packet capture files maybe several days old. --mel From fuyiyang at gmail.com Thu Aug 16 18:55:33 2007 From: fuyiyang at gmail.com (fu yiyang) Date: Fri, 17 Aug 2007 09:55:33 +0800 Subject: [Bro] (no subject) Message-ID: From fuyiyang at gmail.com Thu Aug 16 18:55:59 2007 From: fuyiyang at gmail.com (fu yiyang) Date: Fri, 17 Aug 2007 09:55:59 +0800 Subject: [Bro] (no subject) Message-ID: From angelcherry2006 at hotmail.com Thu Aug 16 19:44:20 2007 From: angelcherry2006 at hotmail.com (angelcherry) Date: Fri, 17 Aug 2007 10:44:20 +0800 Subject: [Bro] ChineseFolkCulture Message-ID: Hello,you can enjoy chinese sites,chinese music and dance,chinese kungfu,and so on by linking the website http://www.chinesefolkculture.com/ _________________________________________________________________ ?? Windows Vista ??? http://search.live.com/results.aspx?q=windows+vista&mkt=zh-cn&FORM=LIVSOP -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070817/615ada68/attachment.html From jp.luiggi at free.fr Thu Aug 16 21:00:14 2007 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Fri, 17 Aug 2007 00:00:14 -0400 Subject: [Bro] generating bro report from packet capture In-Reply-To: <46C41F42.20305@hackinthebox.org> References: <46C41F42.20305@hackinthebox.org> Message-ID: <20070817040014.GA4871@armada.mynetwork.local> Hello, The message is saying that Bro is unable to find something to said regarding the time range. It uses the date taken from the pcap's file and so the various logs. The script "site-report.pl" uses (by default) : +-+-+ $DEFAULT_CONFIG->{'report-range'} = 24; $DEFAULT_CONFIG->{'report-start'} = 'yesterday'; +-+-+ So if you run the report more than 24 hours after the date of the data captured, it seems to be normal to have nothing reported (but i may be wrong). A possible workaround is to use the options given by the script : +-+-+ Options passed to the program on the command line Command line reference --report-range|-r Length of time (in hours) from report-start to report on. This will be overridden by report-end if specified. (default: 24) --report-start|-s The start time of the data to report on. See date format below. Values of yesterday and today are also understood and default to to a start time of 00:30 hours (default: yesterday) --report-end|-e The end time of the data to report on. This will override report-range if specified. ( Examples: 2004-12-26T01:23:00, accurate to seconds field 2004-12-26, Is the same as 2004-12-26T00:00:00 2004-12-26T13, Is the same as 2004-12-26T13:00:00 ) +-+-+ Best regards, Jean-philippe. On Thu, Aug 16, 2007 at 05:56:18PM +0800, mel wrote: > Hi, > > I want to generate bro reports from tcpdump packet capture files. Those > files were captured from different networks. So: > > bro -r file.pcap will generate generate log files: > > alarm.log > conn.log > notice.log > weird.log > > When I run site-report.pl, I get > > No connection data found for the time period specified. > Unable to create a report. > > What does this error mean? Note that the packet capture files maybe > several days old. > > --mel > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From rpang at cs.princeton.edu Fri Aug 17 09:34:47 2007 From: rpang at cs.princeton.edu (Ruoming Pang) Date: Fri, 17 Aug 2007 12:34:47 -0400 Subject: [Bro] rpc decoder possible double-free problem In-Reply-To: References: Message-ID: Hi Jimmy, Thanks a bunch for pointing out the problem. One solution is to add &refcount to "RPC_Call" and make FindCall() return a Ref'ed pointer. (~RPC_Reply() will not delete call_, but Unref it.) But this solution is not perfect either, because it doesn't work for: RPC_AcceptedReply($context.conn.FindCall(msg.xid)) * * * A potentially better solution is to add the "ref" at the let var definition: call = ref(conn.FindCall(...)) But binpac currently does not recognize this syntax. It requires us to add "ref" as a binpac keyword. I will work on it once I'm back next week. * * * Another possibility is to avoid cleaning up of &let variables. There are a few caveats in this case: 1. All "withinput" variables should be released. This is easy to check. 2. Bytestring's should be released, too. This I plan to solve by making every bytestring release itself when going out of scope. 3. Maybe others? I can't find any, but can't tell for sure. I think I prefer the former solution. What do you think? Ruoming On 7/26/07, jmzhou.ml at gmail.com wrote: > Hi, > > I notice that in ~RPC_Reply, there is a statement "delete call_;". However, > this call_ is instantiated by calling t_context->connection()->FindCall( > msg()->xid()). This means that it is not "new"ed. This call_ supposely is > deleted in the ~RPC_Message. Thus, there is a potential double-free here. > > The root cause is that binpac generates the "delete call_" for &let field. > This is incorrect behavior. However, I haven't figured out how to fix it > in binpac. > > A quick fix to this problem is to modify the rpc-protocol.pac:RPC_Reply, > replacing the RPC_AcceptedReply(call) and RPC_RejectedReply(call) with: > RPC_AcceptedReply($context.conn.FindCall(msg.xid)) > RPC_RejectedReply($context.conn.FindCall(msg.xid)) > > Cheers, > > Jimmy > ____________________________________________________________ > The future is not set. There is no fate but what we make > for ourselves. - Terminator II, Judgment Day > ------------------------------------------------------------ > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From rpang at cs.princeton.edu Fri Aug 17 10:30:23 2007 From: rpang at cs.princeton.edu (Ruoming Pang) Date: Fri, 17 Aug 2007 13:30:23 -0400 Subject: [Bro] a small patch to binpac In-Reply-To: References: Message-ID: Thanks! I will integrate this patch. Ruoming On 6/4/07, jmzhou.ml at gmail.com wrote: > The problem: > > type MyRecord = record { > f1: SomeRecordType; > f2: bytestring &length=body_len; > } &let { > body_len: uint32 = f1.rec_len - sizeof (f1); > }; > > The above definition looks familiar, uh? It is a simplifed version of > the DCE RPC PDU. If MyRecord is incrementally parsed, the sizeof (f1) > in the &let construct will cause trouble because getFieldBegin and > getFieldEnd can only be used for non-incremental parsed record. If > the size of SomeRecordType is decideable statically (in the case of > DCE RPC, it is), then the patch fixes the problem. Now we can make > the PDU incrementally parsed. > > Cheers, > > Jimmy > > ____________________________________________________________ > The future is not set. There is no fate but what we make > for ourselves. - Terminator II, Judgment Day > ------------------------------------------------------------ > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > From rreitz at fnal.gov Mon Aug 20 08:09:24 2007 From: rreitz at fnal.gov (Randolph Reitz) Date: Mon, 20 Aug 2007 10:09:24 -0500 Subject: [Bro] How does @prefixes = local work again? In-Reply-To: <01ab01c56ae4$3ec2d1d0$5501a8c0@muratet> References: <006c01c566c4$7bdcac90$4801a8c0@muratet> <1117646663.3164.11.camel@laptop238.icsi.berkeley.edu> <008601c5685c$8c6e5c90$5501a8c0@muratet> <1117834375.3164.344.camel@laptop238.icsi.berkeley.edu> <1117837581.3164.364.camel@laptop238.icsi.berkeley.edu> <014401c56ac1$e9105040$5501a8c0@muratet> <42A49337.5060300@lbl.gov> <018401c56ad8$0872d230$5501a8c0@muratet> <42A4BC2E.4080809@lbl.gov> <01ab01c56ae4$3ec2d1d0$5501a8c0@muratet> Message-ID: Feeling empowered by having attended the recent BRO workshop, I decided I wanted to make a change to the scan.bro policy script. I recall that I heard that I should not change any scripts in the /usr/ local/bro/policy directory. Rather I should move the desired script to /usr/local/bro/site and change the name to local.scan.bro for example. Having done this, when I start bro I get ... [root at rhyolite ~]# /etc/init.d/bro start bro.rc: Running as non-root user root bro.rc: Starting ..........bro.rc: Failed to start Bro /usr/local/bro/site/local.scan.bro, line 1: error: can't open scan ... FAILED Hummm, looking at permissions in /usr/local/bro/site I see ... [root at rhyolite rreitz]# ls -l /usr/local/bro/site total 452 -rw-r--r-- 1 root root 6 Apr 17 00:55 incident_counter -rw-r--r-- 1 root root 13639 Aug 20 09:37 local.scan.bro -rw-r--r-- 1 root root 464 Jul 24 00:42 local.site.bro -rw-r--r-- 1 root root 2026 Aug 14 14:49 rhyolite.fnal.gov.bro -rw-r--r-- 1 root root 424977 Aug 6 09:47 signatures.sig -rw-r--r-- 1 root root 926 Jul 25 11:06 watchdarknets.bro The script /usr/local/bro/site/local.scan.bro begins with ... [root at rhyolite ~]# head /usr/local/bro/site/local.scan.bro # $Id: scan.bro 4613 2007-07-06 04:16:51Z vern $ @load notice @load port-name @load hot @load trw-impl redef enum Notice += { AddressDropped, # connectivity w/ given address has been dropped AddressDropIgnored, # a request to drop connectivity has been ignored One more question. In scan.bro I want to call a script that will create an event in Fermilab's issue tracker whenever a scanner is found. I used the drop_connectivity_script variable to point to my script. Will the system() call use the existing $PATH to find the script? Should the script be in /usr/local/bro/scripts directory? I'm using Bro Version 1.3.2. My bro start policy looks like this... [root at rhyolite ~]# cat /usr/local/bro/site/rhyolite.fnal.gov.bro # $Id: local.lite.bro 1115 2005-03-20 06:51:11Z vern $ # This file is intended for host-specific Bro policy. # What is host-specific? It can be anything that is not the default # after installation. This is the place to make tweaks and changes # to modify policy to suit your network environment and preferences. # The following causes Bro to load local.XXX.bro anytime you # "@load XXX" (along with first loading XXX.bro). # @prefixes = local #@load brolite # root policy which loads all other default policies. # # brolite is too much for this system to handle, copy initial part # of brolite policy down to scan. # # General policy - these scripts are more infrastructural than service # oriented, so in general avoid changing anything here. @load site # defines local and neighbor networks from static config @load tcp # initialize BPF filter for SYN/FIN/RST TCP packets @load weird # initialize generic mechanism for unusual events @load conn # access and record connection events @load hot # defines certain forms of sensitive access @load frag # process TCP fragments @load print-resources # on exit, print resource usage information # Scan detection policy. @load scan # generic scan detection mechanism # Do drop scanning addresses redef can_drop_connectivity = T; redef drop_connectivity_script = "tissue-event"; @load trw # additional, more sensitive scan detection #@load drop # include if installation has ability to drop hostile remotes # now add selected policies @load notice @load login @load irc @load irc-bot # Record system statistics to the notice file @load stats # File generated by the network script for dynamic configuration of # the local network subnets. #@load site # Make any changes to policy starting HERE: # To run signatures, uncomment the following line. #@load brolite-sigs @ifdef ( use_signatures ) # Load Bro signatures. This is the default file containing Bro # signatures. redef signature_files += "signatures"; @endif Thanks, Randy From robin at icir.org Tue Aug 21 18:08:55 2007 From: robin at icir.org (Robin Sommer) Date: Tue, 21 Aug 2007 18:08:55 -0700 Subject: [Bro] How does @prefixes = local work again? In-Reply-To: References: <1117646663.3164.11.camel@laptop238.icsi.berkeley.edu> <008601c5685c$8c6e5c90$5501a8c0@muratet> <1117834375.3164.344.camel@laptop238.icsi.berkeley.edu> <1117837581.3164.364.camel@laptop238.icsi.berkeley.edu> <014401c56ac1$e9105040$5501a8c0@muratet> <42A49337.5060300@lbl.gov> <018401c56ad8$0872d230$5501a8c0@muratet> <42A4BC2E.4080809@lbl.gov> <01ab01c56ae4$3ec2d1d0$5501a8c0@muratet> Message-ID: <20070822010855.GI8875@icir.org> On Mon, Aug 20, 2007 at 10:09 -0500, you wrote: > /usr/local/bro/site/local.scan.bro, line 1: error: can't open scan > ... FAILED Hmmm.... I think your scripts actually look ok and I would think this should work. Can you try it without the bro.rc wrapper, i.e., set BROPATH to your policy directories and run Bro manually with the start policy file? Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From yuppie4ever at gmail.com Tue Aug 21 20:16:09 2007 From: yuppie4ever at gmail.com (Yuppie) Date: Tue, 21 Aug 2007 20:16:09 -0700 Subject: [Bro] BuildConnVal can create a dangling pointer Message-ID: <2999b2f00708212016j3c911869q6f3c871edc86b39@mail.gmail.com> Looks like BuildConnVal() can be called from the connection destructor and will set the origin to "this" and thus create a dangling pointer. The connection will destruct but since conn_val has a reference counting mechanism, it will still keep referring to the connection. I propose to fix this by creating a destructing flag bit-field inside connection. It will be initialized to zero, but set to 1 just when the destructor is entered. Looking forward to your comments! I will provide a patch, if desired. -vee From angelcherry2006 at hotmail.com Fri Aug 24 02:21:47 2007 From: angelcherry2006 at hotmail.com (angelcherry) Date: Fri, 24 Aug 2007 17:21:47 +0800 Subject: [Bro] Chinese Folk Culture-Burning Sedan on Stilts Message-ID: Wanshan Village is located in Qingyang City of northwest China's Henan Province. As a strategically important location with roads extending in all directions, the village was developed as a military outpost in ancient China. The old village consists of five communities named by their locations, among which the Southern Community is the cradle of the so-called "burning sedan on stilts." The practice is said to have originated during the Tang and Song dynasties (dates) when locals celebrated the Spring Festival with performances involving dancing on stilts and carrying bridal sedan-chairs. The custom developed further during the Ming Dynasty (date) when Zhu Zaiyu, an imperial prince, abandoned his title and retired near Wanshan Village. He found that the folk artists there ranked at the bottom of the social structure, and feeling sorry for them, helped create a new art which combined stilts dancing with carrying the bridal sedan-chair. http://www.chinesefolkculture.com/ The email is to promote chinese folk culture without having commercial purposes .If you mind the message, please tell me, i will not interupt you again.Thank you.TEL:+86 (29)88230462 +86 (29)88249701 _________________________________________________________________ ?????? MSN Messenger? http://imagine-msn.com/messenger/launch80/default.aspx?locale=zh-cn&source=wlmailtagline -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070824/f1fd269c/attachment.html From robin at icir.org Mon Aug 27 10:15:32 2007 From: robin at icir.org (Robin Sommer) Date: Mon, 27 Aug 2007 10:15:32 -0700 Subject: [Bro] BuildConnVal can create a dangling pointer In-Reply-To: <2999b2f00708212016j3c911869q6f3c871edc86b39@mail.gmail.com> References: <2999b2f00708212016j3c911869q6f3c871edc86b39@mail.gmail.com> Message-ID: <20070827171531.GC9024@icir.org> On Tue, Aug 21, 2007 at 20:16 -0700, you wrote: > Looks like BuildConnVal() can be called from the connection destructor > and will set the origin to "this" and thus create a dangling pointer. Not sure I see that. Connection's dtor unrefs conn_val so this would need to happen after the Unref(). The only line of code after the Unref(conn_val) which could cause further connection events to be raised is "delete root_analyzer" (although I think it shouldn't). If that is indeed the case, I think the better fix is to move Unref(conn_val) to the very end of the dtor. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org